corysanin/tubestation
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Bug 1862066: Allow CA enabled when pref is set by enterprise policy or is set alongside command line arg r=gstoll,mkaply,fluent-reviewers,bolsson

Browse Source 
Content analysis should not be turned on without an enterprise policy
requiring it or the -allow-content-analysis command-line argument is passed
(which is intended to be used for development).

Differential Revision: https://phabricator.services.mozilla.com/D203331
This commit is contained in:
David P
2024-03-08 18:15:28 +00:00
parent c3c462fdb4
commit 7c9f833074
8 changed files with 70 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
browser/components/enterprisepolicies/Policies.sys.mjs
View File

@@ -509,10 +509,14 @@ export var Policies = {
},
ContentAnalysis: {
onBeforeUIStartup(manager, param) {
onBeforeAddons(manager, param) {
if ("Enabled" in param) {
let enabled = !!param.Enabled;
setAndLockPref("browser.contentanalysis.enabled", enabled);
let ca = Cc["@mozilla.org/contentanalysis;1"].getService(
Ci.nsIContentAnalysis
);
ca.isSetByEnterprisePolicy = true;
}
},
},

9
browser/components/enterprisepolicies/schemas/policies-schema.json
View File

@@ -235,6 +235,15 @@
}
},
"ContentAnalysis": {
"type": "object",
"properties": {
"Enabled": {
"type": "boolean"
}
}
},
"Cookies": {
"type": "object",
"properties": {

2
browser/locales/en-US/browser/policies/policies-descriptions.ftl
View File

@@ -45,6 +45,8 @@ policy-CaptivePortal = Enable or disable captive portal support.
policy-CertificatesDescription = Add certificates or use built-in certificates.
policy-ContentAnalysis = Enable or disable connection to data-loss-prevention agent.
policy-Cookies = Allow or deny websites to set cookies.
# Containers in this context is referring to container tabs in Firefox.

36
toolkit/components/contentanalysis/ContentAnalysis.cpp
View File

@@ -712,6 +712,7 @@ ContentAnalysis::ContentAnalysis()
: mCaClientPromise(
new ClientPromise::Private("ContentAnalysis::ContentAnalysis")),
mClientCreationAttempted(false),
mSetByEnterprise(false),
mCallbackMap("ContentAnalysis::mCallbackMap"),
mWarnResponseDataMap("ContentAnalysis::mWarnResponseDataMap") {
GenerateUserActionId();
@@ -731,12 +732,20 @@ ContentAnalysis::GetIsActive(bool* aIsActive) {
*aIsActive = false;
// Need to be on the main thread to read prefs
MOZ_ASSERT(NS_IsMainThread());
// gAllowContentAnalysis is only set in the parent process
// gAllowContentAnalysisArgPresent is only set in the parent process
MOZ_ASSERT(XRE_IsParentProcess());
if (!gAllowContentAnalysis || !Preferences::GetBool(kIsDLPEnabledPref)) {
if (!Preferences::GetBool(kIsDLPEnabledPref)) {
LOGD("Local DLP Content Analysis is not active");
return NS_OK;
}
if (!gAllowContentAnalysisArgPresent && !mSetByEnterprise) {
LOGE(
"The content analysis pref is enabled but not by an enterprise "
"policy and -allow-content-analysis was not present on the "
"command-line. Content Analysis will not be active.");
return NS_OK;
}
*aIsActive = true;
LOGD("Local DLP Content Analysis is active");
// mClientCreationAttempted is only accessed on the main thread,
@@ -781,6 +790,29 @@ ContentAnalysis::GetMightBeActive(bool* aMightBeActive) {
return NS_OK;
}
NS_IMETHODIMP
ContentAnalysis::GetIsSetByEnterprisePolicy(bool* aSetByEnterprise) {
*aSetByEnterprise = mSetByEnterprise;
return NS_OK;
}
NS_IMETHODIMP
ContentAnalysis::SetIsSetByEnterprisePolicy(bool aSetByEnterprise) {
mSetByEnterprise = aSetByEnterprise;
return NS_OK;
}
NS_IMETHODIMP
ContentAnalysis::TestOnlySetCACmdLineArg(bool aVal) {
#ifdef ENABLE_TESTS
gAllowContentAnalysisArgPresent = aVal;
return NS_OK;
#else
LOGE("ContentAnalysis::TestOnlySetCACmdLineArg is test-only");
return NS_ERROR_UNEXPECTED;
#endif
}
nsresult ContentAnalysis::CancelWithError(nsCString aRequestToken,
nsresult aResult) {
return NS_DispatchToMainThread(NS_NewCancelableRunnableFunction(

2
toolkit/components/contentanalysis/ContentAnalysis.h
View File

@@ -126,6 +126,8 @@ class ContentAnalysis final : public nsIContentAnalysis {
// Only accessed from the main thread
bool mClientCreationAttempted;
bool mSetByEnterprise;
class CallbackData final {
public:
CallbackData(

13
toolkit/components/contentanalysis/nsIContentAnalysis.idl
View File

@@ -184,6 +184,13 @@ interface nsIContentAnalysis : nsISupports
*/
readonly attribute bool mightBeActive;
/**
* True if content-analysis activation was determined by enterprise policy,
* as opposed to enabled with the `allow-content-analysis` command-line
* parameter.
*/
attribute bool isSetByEnterprisePolicy;
/**
* Consults content analysis server, if any, to request a permission
* decision for a network operation. Allows blocking downloading/
@@ -241,4 +248,10 @@ interface nsIContentAnalysis : nsISupports
* Cancels all outstanding DLP requests. Used on shutdown.
*/
void cancelAllRequests();
/**
* Test-only function that pretends that "-allow-content-analysis" was
* given to Gecko on the command line.
*/
void testOnlySetCACmdLineArg(in boolean aVal);
};

7
toolkit/xre/nsAppRunner.cpp
View File

@@ -330,7 +330,7 @@ bool gIsGtest = false;
bool gKioskMode = false;
int gKioskMonitor = -1;
bool gAllowContentAnalysis = false;
bool gAllowContentAnalysisArgPresent = false;
nsString gAbsoluteArgv0Path;
@@ -3986,8 +3986,9 @@ int XREMain::XRE_mainInit(bool* aExitFlag) {
gKioskMonitor = atoi(kioskMonitorNumber);
}
gAllowContentAnalysis = CheckArg("allow-content-analysis", nullptr,
CheckArgFlag::RemoveArg) == ARG_FOUND;
gAllowContentAnalysisArgPresent =
CheckArg("allow-content-analysis", nullptr, CheckArgFlag::RemoveArg) ==
ARG_FOUND;
nsresult rv;
ArgResult ar;

2
toolkit/xre/nsAppRunner.h
View File

@@ -56,7 +56,7 @@ extern bool gIsGtest;
extern bool gKioskMode;
extern int gKioskMonitor;
extern bool gAllowContentAnalysis;
extern bool gAllowContentAnalysisArgPresent;
namespace mozilla {
nsresult AppInfoConstructor(const nsID& aIID, void** aResult);